All but one of these links no longer provide content (and the 6 free tools reference Spike, which is no loner available). Is there a modern day list? (Sad that 'modern day' is merely 40 months later...)
–
Wild BillMar 28 '14 at 0:58

You should start with any interactive web proxy, such as burp proxy, paros, etc.
Myself, I'm partial to Fiddler. Whichever tool you choose, this lets you examine all the request/response flow, and interact with the requests post-javascript. Great place to start.

Eventually, I imagine OWASP's code crawler will support PHP too... though right now I'm not familiar with any free automated tool for this. Just manual eyeballs for now...
Of course you can go for one of the big vendors, e.g. Fortify, Ounce Labs, etc - but thats quite expensive and another can of worms...

There are tons of tools and it's really a personal preference on what will one use for a pentest. So try all of those mentioned by me and others and choose ones that fit you best.

For security code review (whitebox test), I'd recommend using RIPS. It's the best among those I tried.

For doing some blackbox testing, you certainly need some intercepting proxy. There's a lot of those, but I'd suggest you take a look at Fiddler if you're on Windows. Burp / WebScarab / Zed Attack Proxy are great too. If you want to automate some of the injection tests, grab some common payloads from fuzzdb.

Also, make yourself familiar with browser addons like Firebug and Chrome Developer Tools, they are a great help.

If you want to make sure you don't miss anything, the best way is to get an actual expert to look at it. Too many problems arise in websites where a developer simply isn't aware that they aren't following best practices, or fail to understand that common "secure" practices aren't actually secure at all! (e.g. "I don't need to parameterize my SQL so long as I replace single quotes with backslash single-quotes, right!?").

If you're a company, hire an external pentesting company to do a test of your application. They're not very expensive, and they'll find most of the issues. It's certainly cheaper for a company to hire a pentesting firm than to waste days of time training staff members on full salary how to find some bugs, and it's certainly cheaper than trying to rebuild your company after a major breach of customer data.